Mobile devices manufactured by a diverse set of handset makers were discovered to be loaded with malware pre-installed somewhere along the supply chain.
Check Point Software Technologies said that it found 38 Android handsets were infected with adware, information-stealing malware and ransomware, a collection of malicious code as sundry as the number of different manufacturers.
Researcher Daniel Padon said the 38 handsets belonged to Check Point customers who work for either an unidentified large telecommunications company, or multinational technology company. Padon would not identify the two companies, nor whether they were from the same country or region of the world.
The malware was added to the devices before they were in the users’ hands, and were not part of the vendor’s original ROM. For six of the devices, the attacker had system privileges for the device and the malware could not be removed without re-flashing the phone.
“We were surprised by such a number of different models; that seems strange to us,” Padon said. “When you have a large range of devices, it raises questions about how they chose to attack them and why so many different devices were infected.”
Padon speculated that the devices could have been tampered with at a retail location, and the phones were sold to the two companies. All 38 devices have been remediated through Check Point’s products, and Padon said that there are likely more devices in the wild that were similarly infected.
Padon said Check Point’s analysis determined when the original ROM was installed, and then weeks, months, or in one case, a year later, the malware was added to the ROM before the user activated it.
“This raises the question of the intent of the attack,” Padon said. “We would have expected one type of malware infecting one type of device. Since we found different malware, it could be someone experimenting, or separate events that are not connected; it’s all speculation at this point.”
Check Point said it found six devices infected with the Loki Trojan, a malicious ad network that’s been in circulation for more than a year. Loki can display ads to generate revenue, has mechanisms to maintain persistence, and it can intercept communication and exfiltrate data from an Android device. They also found devices infected with Slocker mobile ransomware, which encrypts files on the device and uses the Tor network for command and control communication.
“The main issue is the potential risk in such attacks is not something to be takes lightly because the grants such extensive capabilities,” Padon said. If an attacker has the device before it is returned to the supply chain, this opens any company or user to be infected with malware even if they’ve never clicked on a suspicious link, opened an attachment in an email or downloaded a phishing app.”
Check Point published a list of malware names, hashes and infected device types, which include:
- Samsung Galaxy Note 2
- Samsung Galaxy Note 3
- Samsung Galaxy Note 4
- Samsung Galaxy Note 5
- Samsung Galaxy Note 8
- Samsung Galaxy Note Edge
- Samsung Galaxy S4
- Samsung Galaxy S7
- Samsung Galaxy A5
- Samsung Galaxy Tab S2
- Samsung Galaxy Tab 2
- LG G4
- Xiaomi Mi 4i
- ZTE x500
- Oppo N3
- Vivo X6 plus
- 5 Asus Zenfone 2
- Lenovo S90
- OppoR7 plus
- Xiaomi Redmi
- Lenovo A850
Padon said this is the first time Check Point has investigated such an interdiction of the mobile supply chain. Last November, researchers at Kryptowire disclosed that phones manufactured by ADUPS Technology Co., of Shanghai, China were using and over-the-air update system shipped with BLU Products R1 HD phones to monitor users without permission.
This article was updated March 17 to update the list of affected devices, removing Nexus devices from the list.